Access to a computer system is controlled by a combination of a user ID to identify a user and a password to verify the user. The password is initially created by the system and then can be changed by the user. It is only known to the user and is kept secure by an access control function within the computer system.
The combination of a user ID and password are the prevalent technology for access control to computer systems and are used in: (i) government agencies such as defense systems by defense employees to control access to classified data, (ii) business systems by employees of the business to control access to sensitive data, (iii) consumer systems by consumers to control access to consumer services and resources provided by a business, and (iv) banking systems to control access to online account data and so on.
The use of a password to control access suffers from some deficiencies, such as, too many passwords, easy to forget and unfamiliar difficult to remember long string passwords, and risk of compromise.
There have been many solutions to address one or more of these deficiencies. Some of them have been: 1) having longer passwords of at least 6 to 8 characters, where the password must have a combination of numerals and alphabets, 2) having password that have a combination of lower and upper case letters as well as a punctuation character, also referred to a pass phrase 3) having two layers of passwords common in defense systems 4) having the password changed periodically such as once a month or every three months, which is common in defense and sensitive business systems, 5) supplying additional personal data such as mother's name, place of birth or other data to the computer system when a password is forgotten, so that such data may be used to verify the user in lieu of a forgotten password.
New innovative solutions to address these deficiencies in password technology are also being researched. One example is a recent news report on Microsoft, which describes a research effort on creating and using a password that depends upon a user selecting points on a picture. The pixel location sequence is to be used as a password, as it is believed that points on a picture are easy to remember and also create a complex password.
Other solutions have been biometrics, such as the use of one's fingerprint, handprint, or retina-scan, to control access to a facility controlled by a computer system. Based on published stories, use of biometrics, have problems such as, having finger print can be easily fooled by an imposter gluing on some-one else's finger print on his fingers, and that people are hesitant to make biometric data available to computer systems for privacy reasons.
Smart cards are also being used in some cases to control access to a computer system. Use of smart cards or tokens require a smart card reader and a smart card being given to a person in advance. For these and other reasons they have not gained wide spread popularity.
In light of the above, it is an objective of the present invention to have a user authentication system that eliminates the problems of: (i) the users in having to create and remember passwords, in having to create different passwords for access to different systems, and passwords being stolen from the users by their carelessness or negligence; and (ii) the businesses in having to maintain computer systems that have a risk of compromise of password by carelessness of their employees or external hacker attacks.